Connected healthcare is the latest buzzword where the entire ecosystem from the consumer to the healthcare provider to the physicians to the payers with life sciences and medical devices are linked. When the ecosystem is connected and there is a petabytes of data transfer every second. When there is data transfer there has to be a mechanism of safeguarding the data. Especially the cybersecurity practices w.r.t the applications, infrastructure and devices have to be matured.
So deep understanding of cybersecurity is key for the connected healthcare. Here we outline a few of the key aspects including the risk mitigation techniques, the incident reporting, deep defense strategies with tool stacks.
The key tenets of the cybersecurity are the Inventory of hardware and software, Prioritization of the critical data and applications, Monitoring, Advanced Defense with Secure SDLC and Testing. We will also focus on a few of the key regulations for the healthcare devices and in the value chain.
The different aspects of standardized and up to date inventory of the hardware, software, outsourced and purchased devices and applications for the security implementation roadmap are important. The collection and contextualization of both proprietary and traditional IT system configuration data, including I/O cards, firmware, and software installed, and control strategies into a single repository. Having a clear inventory gives the following benefits of cybersecurity
- Hardens industrial control assets from cyber threats
- Enables internal and regulatory compliance requirements
- Reduces compliance and operational efforts by up to 90%
- Prevents unplanned downtime due to unauthorized changes
- Manages across all major control system manufacturers
The next big element in the cyber security in the connected healthcare and its risk prioritization life cycle. The following steps enable the same
- Locate accountability for cyber security in your organization so that decision making, execution, and incident response is effective.
- Identify the value of your information assets to your organization and to potential attackers in order to quantify the impact of security problems.
- Analyze security threats specific to your industry and type of organization.
- Identify where security risk management should be integrated into software development and technology acquisition.
- Create a security strategy so that the organization can proactively respond to an evolving threat landscape.
- Manage the residual risk that exists in every system.
When we have Risk mitigation life cycle the next key step is monitoring of the devices and applications
- Critical Web Applications and Data are the most important to protect in the enterprises
- Next generation firewalls, Intrusion Prevention Systems and other traditional network security controls don’t stop the latest industrialized, multi-vector attacks, leaving the organization exposed to costly and damaging breaches and downtime.
- Web Application Security solutions will enable to prevent breaches and downtime by protecting your data where it’s accessed – the web applications – securing them against web attacks, DDoS, site scraping, and fraud.
Once the monitoring is enabled and happening, we need to focus parallel on the Deep defense strategies –
- Implementation and advance protection, including the runtime self defense and real-time adaptive Defense techniques
- Advanced warning systems to defend against constantly evolving web-based attacks are vital to protect against advanced cyber attacks.
- This is where threat intelligence from a trusted crowd-sourced platform and community of peers has become extremely valuable. We have to cover the following for the deep defense
- Reputation Service: Filters traffic based upon latest, real-time reputation of the source
- Community Defense: Adds unique threat intelligence crowd-sourced from Imperva users
- Bot Protection: Detects botnet clients and application DDoS attacks
- Account Takeover Protection: Protects website user accounts from attack and take over
- Fraud Prevention:Simplifies deployment of best-in-class partner fraud prevention solutions
- Emergency Feed: Delivers latest signatures right away to mitigate against zero-day vulnerabilities
- Malicious IP Addresses: Sources that have repeatedly attacked other websites
- Anonymous Proxies: Proxy servers used by attackers to hide their true location
- TOR Networks: Hackers who are using The Onion Router (TOR) to disguise the source of attack
- IP Geolocation: Geographic location where attacks are coming from and block access
- Phishing URLs: fraudulent sites (URLs) that are used in phishing attacks
- Comment Spammers: IP addresses of known active comment spammers
- Credential Intelligence: Detect and mitigate
- Credential stuffing using harvested credentials
- Dictionary attacks using weak passwords
- Privileged account default password attacks
- Device Intelligence: Detect and mitigate
- Device logins from high-risk devices
- Transactions from devices behind TOR/proxies
- Geo-based high risk locations – ISPs, Geo/IP mismatches
- Multiple devices accessing the single account, or single device accessing multiple accounts in a short period of time
The final steps in the implementation is the Secure SDLC and testing
- A Secure SDLC process ensures that security assurance activities such as penetration testing, code review, and architecture analysisare an integral part of the development effort.
- The primary advantages of pursuing a Secure SDLC approach are:
- More secure software as security is a continuous concern
- Awareness of security considerations by stakeholders
- Early detection of flaws in the system
- Cost reduction as a result of early detection and resolution of issues
- Overall reduction of intrinsic business risks for the organization
There are various regulations which govern connected healthcare. The below are a few of them
- IEC/TR 80001-2-9 – Application of risk management for IT-networks incorporating medical devices – Part 2-9: Application guidance – Guidance for use of security assurance cases to demonstrate confidence in IEC/TR 80001-2-2 security capabilities (under development)
- IEC 80002-1—Medical device software – Part 1: Guidance on the application of ISO 14971 to medical device software
- AAMI/UL 2800—Safety and Security Requirements of Interoperable Medical Systems (under development)
- AAMI/TIR 57—Principles for medical device information security management
There are some standards for Incident reporting in connected healthcare for cybersecurity
- Standards for incident reporting are key to making reporting correct and useful and to understand the cause of the incident.
- The EU Directive on the security of network and information systems (the NIS Directive), adopted in July 20166 sets the legal basis for cyber incident reporting and sharing in certain critical infrastructure sectors, including transportation, healthcare and cloud computing services.
- It establishes the principles of Computer Security Incident Response Team (CSIRT), cooperation among member states on specific cybersecurity incidents, sharing information about risks (CSIRT network) and a culture of security across sectors.
- From 2018, data privacy breach reporting will become mandatory under the 2016 EU Global Data Protection Regulation.7
- The US department of Homeland Security (DHS) recommendation is to “develop a policy regarding the coordinated disclosure of vulnerabilities, including associated security practices to address identified vulnerabilities.
Finally, we can drive cybersecurity through collaboration in connected healthcare.
Basic guidelines for talking to patients about medical devices –
We need to explain how to operate and maintain the device according to the manufacturer’s directions. Always confirm with the patient, their family and caregivers that they understand the instructions before leaving your office. Please advise patients to keep the instructions easily accessible for quick reference. We need to tell the patient to only allow trusted individuals to have access to their device.
The Patient needs to be encouraged to talk to their health care provider or call their device supplier to get further clarification and get feedback on their queries. Secondly, turning off the device when not needed and only connect the devices in a trusted network.
We need to encourage the patient to talk to their health care provider or call their device supplier if they have questions. We have to inform the patient if they can turn off the device when not using it and remind the patient to connect the device only to trusted networks. Educating the patients with the tips and do’s and dont’s -whenever encryption is available, enable it to help protect health information stored or sent by mobile devices. Always ask them to use a strong password or other user authentication.
The patient has to be made aware that they need to install and activate wiping and/or remote disabling to protect the data on your mobile device if it is lost or stolen which quite critical.
We educate the patients with the tips -whenever encryption is available, enable it to help protect health information stored or sent by mobile devices. Always let them use a strong password or other user authentication. The patient mobile needs to have a firewall to block unauthorized access and should be enabled by security software to protect against malicious applications, viruses, spyware, and malware-based attacks.
The device has to have the security software up to date. It is better to research mobile applications (apps) before downloading. They also have to maintain physical control of your mobile device. Know where it is at all times to limit the risk of unauthorized use. We can also advise if we use additional layers of security, such as a VPN to send or receive health information over public Wi-Fi networks. Finally, we tell them to delete all stored health information on computers and mobile devices before discarding or donating them
There are many ways to implement the cybersecurity strategies for connected healthcare. In this article we have covered some of the principles to have a holistic approach to solve this problem.